BlackBox: Secure containers for untrusted operating systems
This technology is a container architecture algorithm paired with Arm virtualization hardware that protects application data confidentiality and integrity on untrusted operating systems.
Unmet Need: Efficient method to safeguard application data on shared computing infrastructure
Conventional container architectures allow direct information flow from containers to operating systems that can be susceptible to malicious attacks, leading to high security risks. Approaches developed to enhance security of application memory include hardware solutions and add-ons to hardware-based mechanisms, but these methods suffer from strict requirements in the writing of the applications and large memory requirements, respectively. While hypervisors also offer protection via the encryption of application memory, these require enormous trusted computing bases.
The Technology: Algorithm to secure containers with minimized trusted computing base
This technology utilizes a container security monitor that eliminates the direct channel of information between the containers and the operating system by creating distinct physical address spaces for each container and the operating system. Paired with Arm virtualization hardware, this algorithm has been shown to prevent attacks more effectively as compared to conventional methods, while incurring only modest overheads.
Applications:
- Protection of computer secrets and application data
- Privacy and security enhancement
- Prevention of malicious computer attacks
Advantages:
- Improved security guarantee
- Minimization of computing requirements
- Isolated container architectures
Lead Inventor:
Patent Information:
Related Publications:
Tech Ventures Reference:
IR CU21312
Licensing Contact: Greg Maskel